CVE-2026-11879

Vulnerability

MobaXterm Personal Edition (Portable) version 26.3 (Build 5154) contains a DLL search-order hijacking vulnerability (CWE-427). During startup, the application searches for specific DLLs in a predictable temporary directory before falling back to secure system paths. This allows an attacker with local access to place a specially crafted malicious DLL in that directory, which will be loaded automatically when the victim launches MobaXterm [1].

Exploitation

An attacker needs only local access to the system (low privileges) and the ability to write files to the predictable temporary directory. No user interaction beyond launching the application is required. The attacker places a malicious DLL in the temporary directory; upon the next launch of MobaXterm, the application loads the DLL, executing the attacker's code [1].

Impact

Successful exploitation results in arbitrary code execution in the context of the user running MobaXterm. This compromises the confidentiality, integrity, and availability of the affected system, as reflected by the CVSS v4.0 base score of 8.5 (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) [1].

Mitigation

The vulnerability has been fixed by Mobatek in version 26.4. Users should upgrade to this version immediately. No workarounds are documented in the available references [1].